200

Arch Linux AUR Malware Campaign Hits Multiple User-Contributed Packages (linuxiac.com)

submitted 20 hours ago by cm0002@lemy.lol to c/linux@programming.dev

57 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] FiniteBanjo@programming.dev 17 points 18 hours ago* (last edited 17 hours ago)

~~Users can check if they're already compromised with pacman -Q | grep alvr I think maybe?~~ EDIT: No, sorry, alvr was just one of countless affected packages. Also, several is an understatement since a huge number of packages are affected.

Post with more information here: https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

[-] TheDuke@europe.pub 4 points 9 hours ago

Oh my, I'm new to Linux and I use CachyOS for my gaming rig at home. Most of the time I have no idea what I'm doing, but shit runs well and I'm happy about it. But how the hell do I check my noob ass if it's compromised?!

[-] FiniteBanjo@programming.dev 1 points 3 hours ago* (last edited 2 hours ago)

I'm not real clear on if this is the case but you could try:

Have you installed or updated from the AUR before, such as with Yay? Specifically after June 5th? If so, check this list or the post above for a list of compromised packages. https://gr.ht/aur_pkg_list.txt
Maybe pacman -Q | grep atomic-lockfile because that appears to be what the threat actor is installing but I'm not really sure if that's how it works...?

EDIT: If you really want to play it safe then you could try yay -R $(pacman -Qmq) to remove every aur package and wait out the storm, just be careful to backup important files.

[-] Grass@sh.itjust.works 5 points 18 hours ago

alvr as in the vr streaming program for standalone headsets? that's kind of a niche among niches. Linux VR users with standalone vr headsets that use that specific method.

[-] webghost0101@sopuli.xyz 18 points 17 hours ago* (last edited 17 hours ago)

Sweats in “linux vr is one of my current hobby projects”

[-] Grass@sh.itjust.works 5 points 13 hours ago

it's going to be year of the linux vr soon anyway

[-] django@discuss.tchncs.de 2 points 13 hours ago

I am so hyped for this actually

[-] NOPper@lemmy.dbzer0.com 5 points 16 hours ago

I panicked a bit when I saw the news earlier today as one of those niche guys. Then remembered I had removed it for WiVRn a few weeks ago and don't have anything else off the AUR. Double niche win lol

[-] FiniteBanjo@programming.dev 3 points 17 hours ago* (last edited 17 hours ago)

EDIT: No, sorry, alvr was just one package, there is no specific source for the infection just one or many malicious users: https://gr.ht/aur_pkg_list.txt

[-] timestatic@feddit.org 1 points 14 hours ago

I actually had the alvr bin aur installed on my old destop machine. Its just the only proper way for me on Quest to properly play any PCVR games. But i haven't used nor updated that one in a while. My new arch machine luckily doesn't have this installed but now im freaking out

this post was submitted on 12 Jun 2026

200 points (99.5% liked)

Linux

13949 readers

512 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev